Somewhat contrary for the sake of contrariness, but…
I’m told I shouldn’t use FB messenger, etc. with my friends because signal is better. Now I’m told everyone using signal should do this protracted shamrock paragon dance when calling people. There is no way my friends are going to do this.
So do we stick with FB messenger or do we use signal improperly?
Of course, my point isn’t really that I need an answer. I can decide for myself. But how is the advice that’s being blasted out enabling others to decide?
That’s well into territory where you have to analyze your own threat model. Are you considering only what they could do without asking you to log them into anything? Then you need to follow “lock down your phone” and “hide Signal messages on your lock screen”. Are you concerned that they might say “log into the phone” and do a deep inspection? Then you need to also delete messages.
I agree that the advice could be framed in a way that makes this all easier, but I do think the purpose and limitations of each step is clear. I think it would be very useful to have a “what’s your threat model?” flowchart for choosing communication technology. I do also think that the people who have serious concerns don’t need that advice; the benefit would be to help people convince themselves they don’t have serious concerns.
Yes. Alas this article lumps a lot of things together.
there are extra steps you must take if you want to maximize the security for your most sensitive conversations — the ones that could be misinterpreted by an employer, client, or airport security screener; might be of interest to a snooping government, whether at home or abroad; or could allow a thief or hacker to blackmail you or steal your identity.
Sounds like I need to follow all of the steps to protect against any of those threats.
But there’s no explanation why I need to do anyone of them to protect against my clients. What are they going to do, exactly, if I skip all of this?
Or how are hackers going to steal my identity? From my Signal messages? What?
Honest question, now that Whatsapp implements the Signal protocol, is there any benefit to using Signal? Besides the fact that the Whatsapp client is closed source, that is.
It also has open source code, meaning it can be inspected to verify security.
Great, except you have no idea if this is the same code use to build the app. Do they add their own variations, do they use an entirely different repo? Do they add in an NSA or Facebook module? Short of building it yourself, open source essentially means nothing if you didn’t build it. The same applies to desktop, did Signal/Canonical/Mozilla use exactly the same version from a public repo to do the final build, or something else? Who knows.
Signal, Bitcoin and a some other projects use reproducible builds. In the case of Bitcoin, for example, the same build must be produced by multiple independent actors before it’s considered clean. Signal isn’t there yet; but, you can download the APKs can compare for yourself. And there are people out there who check.
Somewhat contrary for the sake of contrariness, but…
I’m told I shouldn’t use FB messenger, etc. with my friends because signal is better. Now I’m told everyone using signal should do this protracted shamrock paragon dance when calling people. There is no way my friends are going to do this.
So do we stick with FB messenger or do we use signal improperly?
Of course, my point isn’t really that I need an answer. I can decide for myself. But how is the advice that’s being blasted out enabling others to decide?
Those who have a solid reason to verify verbally, will.
The rest of us simply should be doing it to get in the habit of it for that one call that might really need verbal verification.
Unfortunately, this doesn’t really help. I don’t want the airport screeners to read my messages. Do I need to follow all these instructions or not?
That’s well into territory where you have to analyze your own threat model. Are you considering only what they could do without asking you to log them into anything? Then you need to follow “lock down your phone” and “hide Signal messages on your lock screen”. Are you concerned that they might say “log into the phone” and do a deep inspection? Then you need to also delete messages.
I agree that the advice could be framed in a way that makes this all easier, but I do think the purpose and limitations of each step is clear. I think it would be very useful to have a “what’s your threat model?” flowchart for choosing communication technology. I do also think that the people who have serious concerns don’t need that advice; the benefit would be to help people convince themselves they don’t have serious concerns.
Yes. Alas this article lumps a lot of things together.
Sounds like I need to follow all of the steps to protect against any of those threats.
But there’s no explanation why I need to do anyone of them to protect against my clients. What are they going to do, exactly, if I skip all of this?
Or how are hackers going to steal my identity? From my Signal messages? What?
Too many rules; didn’t follow.
Honest question, now that Whatsapp implements the Signal protocol, is there any benefit to using Signal? Besides the fact that the Whatsapp client is closed source, that is.
Great, except you have no idea if this is the same code use to build the app. Do they add their own variations, do they use an entirely different repo? Do they add in an NSA or Facebook module? Short of building it yourself, open source essentially means nothing if you didn’t build it. The same applies to desktop, did Signal/Canonical/Mozilla use exactly the same version from a public repo to do the final build, or something else? Who knows.
Signal, Bitcoin and a some other projects use reproducible builds. In the case of Bitcoin, for example, the same build must be produced by multiple independent actors before it’s considered clean. Signal isn’t there yet; but, you can download the APKs can compare for yourself. And there are people out there who check.